<div dir="ltr">No, all real machines.<div><br></div><div>I'm really sorry it's taking so much of your time. </div><div>I had tried almost everything on a VM setting first, and everything was fine. </div><div>Everything always works fine, until you actually need it.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 20 March 2015 at 19:41, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 03/20/2015 01:57 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">But the ipa server itself is also enrolled as a
client, just after the server installation, right?. And that
worked fine.</div>
</blockquote>
<br></span>
Are these VMs?<br>
There have been a similar case when the network was not set properly
for the virtual test environment.<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March 2015 at 18:55, Roberto
Cornacchia <span dir="ltr"><<a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<p dir="ltr">No, sorry about the confusion, i shouldn't
have posted so quickly.</p>
<p>When I use the correct domain (<a href="http://hq.example.com" target="_blank">hq.example.com</a>), then I really get
all the same errors as before, also in the new client.</p>
<p><br>
</p>
<p dir="ltr"><br>
</p>
<div class="gmail_quote">
<div>
<div>On 20 Mar 2015 18:39, "Dmitri Pal"
<<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>
wrote:<br type="attribution">
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div>On 03/20/2015 01:25 PM, Roberto Cornacchia
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Oops. Not true, forget last
email.
<div><br>
</div>
<div>This secon client installation went
different just because it took the wrong
domain.</div>
<div>It used <b><a href="http://example.com" target="_blank">example.com</a></b> (what
was previously set) instead of <b><a href="http://hq.example.com" target="_blank">hq.example.com</a></b></div>
<div><br>
</div>
<div>Uninstalled, tried again with
--hostname=<a href="http://photon.hq.example.com" target="_blank">photon.hq.example.com</a></div>
<div>And then it behaves precisely like the
previous client.</div>
<div><br>
</div>
<div>So something seems wrong in the server.</div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March
2015 at 18:18, Roberto Cornacchia <span dir="ltr"><<a href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div><font face="arial,
helvetica, sans-serif">Update:</font></div>
<div><font face="arial,
helvetica, sans-serif">I
tried from another client.
Also FC21, same network,
same settings from the same
DHCP. </font></div>
<div><font face="arial,
helvetica, sans-serif">But
obviously it must have
something different because
it partially succeeded.</font></div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">- I
do not get errors about LDAP
users.</font></div>
<div><font face="arial,
helvetica, sans-serif">- I
do not get errors about DNS
update</font></div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">However:</font></div>
<div><font face="arial,
helvetica, sans-serif">- I
still get the initial error
about NTP</font></div>
<div><font face="arial,
helvetica, sans-serif">- The
host is enrolled, but not
added to the DNS zone</font></div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">Now,
I don't care much about the
previous client. It was
pretty much empty and can
re-install Fedora from
scratch. </font></div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">But
I'd like to understand if
this is still a problem.</font></div>
<div><font face="arial,
helvetica, sans-serif">It
should be added to the zone,
shouldn't it?</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">$
ipa-client-install
--mkhomedir --ssh-trust-dns
--force-ntpd</font></div>
<div><font face="monospace,
monospace">Discovery was
successful!</font></div>
<div><font face="monospace,
monospace">Hostname: <a href="http://photon.example.com" target="_blank">photon.example.com</a></font></div>
<div>
<div>
<div><font face="monospace,
monospace">Realm: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace">DNS Domain: <a href="http://hq.example.com" target="_blank">hq.example.com</a></font></div>
<div><font face="monospace,
monospace">IPA Server: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></font></div>
<div><font face="monospace,
monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">Continue to
configure the system
with these values? [no]:
yes</font></div>
<div><font face="monospace,
monospace">Synchronizing
time with KDC...</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Unable to
sync time with IPA NTP
server, assuming the
time is in sync.
Please check that 123
UDP port is opened.</b></font></div>
<div><font face="monospace,
monospace">User
authorized to enroll
computers: admin</font></div>
<div><font face="monospace,
monospace">Password for
<a href="mailto:admin@HQ.EXAMPLE.COM" target="_blank">admin@HQ.EXAMPLE.COM</a>:</font></div>
<div><font face="monospace,
monospace">Successfully
retrieved CA cert</font></div>
<div><font face="monospace,
monospace"> Subject:
CN=Certificate
Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace"> Issuer:
CN=Certificate
Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace"> Valid
From: Mon Mar 16
18:44:35 2015 UTC</font></div>
<div><font face="monospace,
monospace"> Valid
Until: Fri Mar 16
18:44:35 2035 UTC</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">Enrolled in
IPA realm <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace">Created
/etc/ipa/default.conf</font></div>
<div><font face="monospace,
monospace">New SSSD
config will be created</font></div>
<div><font face="monospace,
monospace">Configured
sudoers in
/etc/nsswitch.conf</font></div>
<div><font face="monospace,
monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font face="monospace,
monospace">Configured
/etc/krb5.conf for IPA
realm <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace">trying <a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font face="monospace,
monospace">Forwarding
'ping' to json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace,
monospace">Forwarding
'ca_is_enabled' to json
server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace,
monospace">Systemwide CA
database updated.</font></div>
<div><font face="monospace,
monospace">Added CA
certificates to the
default NSS database.</font></div>
</div>
</div>
<span>
<div><font face="monospace,
monospace">Adding SSH
public key from
/etc/ssh/ssh_host_rsa_key.pub</font></div>
</span><span>
<div><font face="monospace,
monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
</span>
<div><font face="monospace,
monospace">Adding SSH public
key from
/etc/ssh/ssh_host_dsa_key.pub</font></div>
<span>
<div><font face="monospace,
monospace">Adding SSH
public key from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
</span><span>
<div><font face="monospace,
monospace">Forwarding
'host_mod' to json server
'<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font color="#ff0000" face="monospace,
monospace"><b>Could not
update DNS SSHFP
records.</b></font></div>
<div><font face="monospace,
monospace">SSSD enabled</font></div>
<div><font face="monospace,
monospace">Configured
/etc/openldap/ldap.conf</font></div>
</span><span>
<div><font face="monospace,
monospace">NTP enabled</font></div>
<div><font face="monospace,
monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font face="monospace,
monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font face="monospace,
monospace">Configuring <a href="http://hq.example.com" target="_blank">hq.example.com</a>
as NIS domain.</font></div>
<div><font face="monospace,
monospace">Client
configuration complete.</font></div>
</span></div>
<div><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
It is different. It does not have the same
failure about admin as you had in the first
email.<br>
So may be it is the permissions issue and a
separate NTP issue?<br>
Did you play with any permissions on the server
side?<br>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
<br>
</div>
</div>
<span>--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</span></blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div></div></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>